The Importance of User Behavior Analytics in Security by Design

As employment and work styles have diversified in recent years, it has become difﬁcult to ensure security with conventional security measures that apply only to limited locations and points. Because any slight careless behavior by humans, the users, may cause leakage of important information, users themselves are becoming the boundaries of security. This seminar introduces the importance of user behavior analysis, which is crucial for implementing "Security by Design" practices.
[Fujitsu Forum 2017 Seminar Report]

Users as the New Boundaries of Security

"Security by Design" is an information security concept that should be implemented during planning and design, not after operations start.

One way to ensure security is to establish a framework including "process rules," "risk analysis/security requirement definitions," and "technology countermeasures." Most of these measures will be implemented to control users.
Humans are clever, and if any restrictions are applied to them, regardless of whether there is malicious intent, people will somehow try to circumvent such restrictions. Nowadays, regardless of whether intentional or not, user behaviors can create security holes that lead to security risks, such as information leaks and insider threats.

In the past, the targets that needed to be protected--such as employees, users, and sensitive information--were concentrated in fixed locations, such as offices and data centers. However, more recently, these targets are now distributed due to cloud computing, mobile computing, outsourcing, and offshore activities. So, we can say that users are the new boundaries of security.

There are also various levels of IT literacy, technology, philosophy, ethical values, and working styles. To verify the appropriateness of each individual user's behavior, it is effective to perform analysis close to the user at the end point.

If we attempt to perform user behavior analysis at the end point, we must address several challenges, including privacy compliance, a high level of expertise for large-volume data analysis, and the impact on end-point performance.

In Security by Design, while analyzing user behaviors is important, it can be difficult to analyze behaviors and judge their acceptability.

Detecting Abnormal Behaviors to Speedily Identify Insider Threats

Mohan Koo
Co-Founder & CTO
Dtex Systems

Dtex Systems has been conducting insider threat investigations for more than 10 years.

When looking to stop insider threats, many companies focus on "exfiltration." Everyone is worried about how to stop events, how events are seen, and how do we know who took what data when and to where. However, if we detect such events at the time of exfiltration, it is already too late and the data is gone.

Focusing on All Steps of Insider Threats - Detecting in the Exfiltration Stage Is Too Late

The flow of insider threats consists of five steps: reconnaissance, circumvention, aggregation, obfuscation, and exfiltration. People tend to pay attention only to the final step, "exfiltration." However, by the time one detects who took the data how and attempts to prosecute that party, the data has already been stolen. To prevent security incidents, we must detect and prevent attacks at each step without focusing only on the final stage, exfiltration.

The first thing an infiltrator who penetrates a system does is to start looking. What files can I access? What kind of security systems are in place? This is the reconnaissance phase.

The second step is "circumvention," in which the infiltrator attempts to circumvent the installed security tools. The third step is "aggregation," in which the attacker aims to gather data in one location.
In the fourth step, "obfuscation," the infiltrator hides the traces of his/her behavior. Renaming files is a very common technique, but if someone accesses files that have never been accessed before and then renames the files, the fact that the person renamed the files is a large indicator that he/she intended to cover his/her tracks.

The fifth and final step is "exfiltration." If we examine each of these steps and study the behaviors, we can detect "abnormal behaviors" and stop such behaviors before attackers leave with data.

For one major exchange in London, our system has managed to catch more than 5 people in the last 12 months before they walked out of the building. We prevented data leakage before it occurred, safeguarding the brand's reputation against damage.

The Idea of "Trust But Verify"

The primary approach to cyber security for the last 10 years has been to "lock everything down." Stop users from using USB devices, restrict which websites they can visit--that is the traditional approach. However, when we stop users from doing things that they should be able to do to do their jobs, they always find another way around these measures.

So, when you hire somebody, you should trust them. When you employ them, you put them through a vetting process, carry out due diligence, and study how they performed in their former jobs.

If you trust your employees, you should give them broad access without restrictions so that they can do their jobs well because they need to use a variety of means to be quick and innovative, but at the same time, you must verify what they do.
It is important to verify the content of users' work, create a mechanism to detect and stop bad behavior, and, when an employee makes a mistake, teach them how not to do it again.

Technology to Comply with Privacy Laws Globally

Dtex Systems has developed a "collector," which is a very lightweight end-point collector that goes on all users' devices and collects behavioral data from the moment the user logs on to the device until the user logs off.

We collect data from many devices and gather the data in a central repository, from which we can run analytics on an anonymous basis. For data anonymization, we strip out any data that could be used to identify an individual, and then we encrypt the data. We can see all user behaviors, but we cannot identify any individuals.

In this way, analysts can detect bad behaviors without identifying individuals by name. If bad behavior is uncovered, the analyst seeks permission from a superior, the legal department, or the compliance department before accessing the file to identify the user name and start an investigation. This mechanism is needed to protect the rights and privacy of employees and other individuals, especially in places like Europe where privacy laws are very strict.

This system is privacy compliant and does not collect any content, key logs, key strokes, or screen shots. It can be deployed in any country and be made compliant with that country's privacy laws.

Ensuring a High Level of Security While Grasping the Big Picture of People, Processes, and Technology

Security by Design means that we do not focus on technology alone. Companies cannot solve security problems just by buying security products.

It is important to change the people and work processes simultaneously when introducing security products.

We provide the technology to help you find bad behavior. Then, you must make efforts to change your culture, processes, and people in the processes.

For example, when we see someone making a mistake, we think that it is a "teachable moment" (the best timing to teach). That is when to reach out to that user and say, "We saw you did something like this, but please do not do that, and here is why." We should make the most of such teachable moments.

To ensure security, you must address people and processes together with technology; by doing so, you can really solve problems. Going forward, Fujitsu and Dtex Systems will collaborate to address this very challenge.